topic Re: ISE certs types in Network Access Control

ISE certs types

NETAD — Thu, 23 Aug 2018 04:08:26 GMT

Hello, what kind of cert ls is needed on ISE for the following:

1-Guest Portal: wildcard publicly signed cert with the wildcard present in the CN and the hostname as one of the SANs?

2-EAP-TLS: issued by an internal CA? How should the cert be structured for the client, and server?

3-BYOD: use ISE internal CA feature?

4-Node registration: use self-signed or the same wildcard cert used for the guest portal?

Thanks

Re: ISE certs types

Damien Miller — Thu, 23 Aug 2018 04:48:58 GMT

For items 1, 2 and 4 you can use the same public CA issued wildcard cert if you want. If you do go this route, ensure that the *.ise.domain.com is in the SAN and not the CN. The CN can be any name you want (ex. it could be CN=ise.domain.com) so long as it is also included as a SAN. It does not need to be a node hostname.

Admin, EAP, and Guest portals will all work fine with the same wildcard certificate so long as you follow the rules above.

In regards to 3 for BYOD. I have leveraged ISE to provision certs for non corporate devices but I have not used ISE to directly issue these. In past deployments I used ISE to call an internal Microsoft CA via scep then issue the user cert. I've heard from peers that the ISE CA is more than capable of doing the same. Depends what you want/need.

Re: ISE certs types

NETAD — Thu, 23 Aug 2018 16:10:37 GMT

Thanks Damien,

So all the ise nodes hostnames must be one of the SANs, the wildcard must be one of the SANs, and anything in the CN?

what about the client side certs when using eap-tls?

Re: ISE certs types

howon — Thu, 23 Aug 2018 16:59:30 GMT

Like Damien noted, you just need to make sure the CN includes generic name such as ise.example.com. For the SAN at minimum have ise.example.com (Repeat of what was done for CN) and *.example.com (Wildcard).

For endpoint certificate, the attibributes are auto populated based on the "Certificate Template" on ISE. You can change it by going to Administration > System > Certificates, then on the left menu Certificate Authority > Certificate Template. The one named 'EAP_Authentication_Certificate_Template' is the default template that is used for the endpoints during the BYOD flow, but you can create a new one as well.

Re: ISE certs types

NETAD — Thu, 23 Aug 2018 17:05:42 GMT

Thanks. I was inquiring about the corporate endpoints certs structure and issuance.

Re: ISE certs types

howon — Thu, 23 Aug 2018 20:45:30 GMT

Not sure which platform you will be using for corp endpoints, but if it is Windows, then you can use certificate template on Windows CA to dictate how the attributes are populated with auto enrollment. As long as the certificates are mutually valid then ISE can authenticate the endpoint. I recommend using UPN or SPN for the CN field in the template for easy integration with ISE. Here is link to the Windows CA Auto enrollment:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

Re: ISE certs types

NETAD — Sat, 29 Sep 2018 03:09:48 GMT

Hi guys, for a 5 node distributed deployment, what kind of cert do you recommend. The client doesn’t have a pki infrastructure. Is it ok to use the self signed certs or should I have them purchase a wildcard cert with the nodes fqdns in the SAN field?

Re: ISE certs types

Jason Kunst — Sat, 29 Sep 2018 11:12:21 GMT

Great article

https://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

Also read admin config guide

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011011.html